Compare commits
No commits in common. "57f32743f3c35bed3153e99b61a5af684caecff7" and "1a7e566d5b481d4f7f5d8126940580cd7648a72f" have entirely different histories.
57f32743f3
...
1a7e566d5b
|
@ -32,18 +32,14 @@ the feed or `opml2md`'s best guess.
|
|||
- [Blog – JoeRess.com](https://joeress.com) [(Feed)](https://joeress.com/category/blog/feed/)
|
||||
- [Ctrl blog](https://feed.ctrl.blog) [(Feed)](https://feed.ctrl.blog/latest.atom)
|
||||
- [Drew DeVault's blog](https://drewdevault.com) [(Feed)](https://drewdevault.com/blog/index.xml)
|
||||
- [duponin](https://dupon.in/index.xml) [(Feed)](https://dupon.in/index.xml)
|
||||
- [Gaia Newsletter](https://apprise.prod.gaiaplant.app) [(Feed)](https://apprise.prod.gaiaplant.app/archive.xml)
|
||||
- [Grumpy Website](https://grumpy.website) [(Feed)](https://grumpy.website/feed.xml)
|
||||
- [ilja](https://blog.ilja.space/@/ilja/atom.xml) [(Feed)](https://blog.ilja.space/@/ilja/atom.xml)
|
||||
- [MWL Blather](https://mwl.io) [(Feed)](http://blather.michaelwlucas.com/feed)
|
||||
- [Paritybit](https://www.paritybit.ca) [(Feed)](https://www.paritybit.ca/feed.xml)
|
||||
- [Secluded.Site](https://secluded.site) [(Feed)](https://secluded.site/posts/index.xml)
|
||||
- [Signs of Triviality](http://www.netmeister.org/blog/) [(Feed)](https://www.netmeister.org/blog/rss.xml)
|
||||
- [Snikket Blog on Snikket Chat](https://snikket.org/blog/index.xml) [(Feed)](https://snikket.org/blog/index.xml)
|
||||
- [That HTML Blog](https://thathtml.blog/) [(Feed)](https://thathtml.blog/feed.xml)
|
||||
- [The Spicy Web](https://www.spicyweb.dev/) [(Feed)](https://www.spicyweb.dev/feed.xml)
|
||||
- [Thib' Blog](https://ergaster.org/) [(Feed)](https://ergaster.org/rss.xml)
|
||||
- [tonsky.me](http://tonsky.me) [(Feed)](http://tonsky.me/blog/atom.xml)
|
||||
- [Waldon](https://waldon.blog) [(Feed)](https://waldon.blog/feed)
|
||||
- [Xe's Blog](https://xeiaso.net/blog) [(Feed)](https://xeiaso.net/blog.rss)
|
||||
|
@ -87,7 +83,6 @@ the feed or `opml2md`'s best guess.
|
|||
- [Hacker Stations](https://hackerstations.com/index.xml) [(Feed)](https://hackerstations.com/index.xml)
|
||||
- [Ink & Switch](https://www.inkandswitch.com/index.xml) [(Feed)](https://www.inkandswitch.com/index.xml)
|
||||
- [jmp.chat](https://blog.jmp.chat) [(Feed)](https://blog.jmp.chat/atom.xml)
|
||||
- [Kagi Blog](https://blog.kagi.com/rss.xml) [(Feed)](https://blog.kagi.com/rss.xml)
|
||||
- [Modos Laptop](https://www.modos.tech) [(Feed)](https://www.modos.tech/rss)
|
||||
- [Sourcehut](https://sourcehut.org) [(Feed)](https://sourcehut.org/blog/index.xml)
|
||||
|
||||
|
@ -108,10 +103,10 @@ the feed or `opml2md`'s best guess.
|
|||
- [Deeplinks](https://www.eff.org) [(Feed)](https://www.eff.org/rss/updates.xml)
|
||||
- [DEV Community: Gary Kramlich](https://dev.to/feed/grim/) [(Feed)](https://dev.to/feed/grim/)
|
||||
- [F-Droid](https://f-droid.org) [(Feed)](https://f-droid.org/en/feed.xml)
|
||||
- [Golang Weekly](https://golangweekly.com/) [(Feed)](https://golangweekly.com/rss/)
|
||||
- [InfoWorld Matt Asay](https://www.infoworld.com) [(Feed)](http://www.infoworld.com/author/Matt-Asay/index.rss)
|
||||
- [IPFS Blog & News](https://blog.ipfs.tech) [(Feed)](https://blog.ipfs.tech/index.xml)
|
||||
- [iTWire - Sam Varghese](https://itwire.com) [(Feed)](http://www.itwire.com/freelancer/itemlist/user/902-samvarghese?format=feed)
|
||||
- [IVPN Blog](https://www.ivpn.net) [(Feed)](https://www.ivpn.net/blog/index.xml)
|
||||
- [Jack Whitham](https://www.jwhitham.org/) [(Feed)](https://www.jwhitham.org/rss.xml)
|
||||
- [Jim Salter – Ars Technica](https://arstechnica.com) [(Feed)](https://arstechnica.com/author/jimsalter/feed/)
|
||||
- [Jolla Blog](https://blog.jolla.com) [(Feed)](https://blog.jolla.com/feed/)
|
||||
|
@ -133,7 +128,6 @@ the feed or `opml2md`'s best guess.
|
|||
- [The Invisible Things](https://blog.invisiblethings.org/) [(Feed)](http://blog.invisiblethings.org/feed.xml)
|
||||
- [The Register](https://www.theregister.com/) [(Feed)](http://www.theregister.co.uk/headlines.atom)
|
||||
- [The Verge](https://www.theverge.com/) [(Feed)](http://www.theverge.com/rss/full.xml)
|
||||
- [The Verge - Installer s](https://www.theverge.com/installer-newsletter) [(Feed)](https://www.theverge.com/rss/installer-newsletter/index.xml)
|
||||
- [Threatpost](https://threatpost.com) [(Feed)](https://threatpost.com/feed)
|
||||
- [TorrentFreak](https://torrentfreak.com/) [(Feed)](http://feeds.feedburner.com/Torrentfreak)
|
||||
- [Wired Security](https://www.wired.com) [(Feed)](https://www.wired.com/feed/category/security/latest/rss)
|
||||
|
|
|
@ -48,10 +48,10 @@ migrate as soon as there's an installable release.
|
|||
RAM, it's going to make do with 200 MBs of RAM and the kernel's <abbr
|
||||
title="Out Of Memory">OOM</abbr> killer is going to have a fun time 🤠
|
||||
- **Portability:** once set up and configured, VMs and containers can mostly be
|
||||
treated as closed boxes; as long as the surrounding environment of the new
|
||||
host is similar to the previous in terms of communication (proxies, web
|
||||
servers, etc.), they can just be picked up and dropped between various hosts
|
||||
as necessary.
|
||||
treated as black boxes; as long as the surrounding environment of the new host
|
||||
is similar to the previous in terms of communication (proxies, web servers,
|
||||
etc.), they can just be picked up and dropped between various hosts as
|
||||
necessary.
|
||||
- **Density:** applications are usually much lighter than the systems they're
|
||||
running on, so it makes sense to run many applications on one system. VMs and
|
||||
containers facilitate that without sacrificing security.
|
||||
|
@ -124,43 +124,19 @@ hk.os.h.k3.os3.app3: Many apps
|
|||
|
||||
## Containers
|
||||
|
||||
VMs use virtualisation to achieve isolation. Containers use **namespaces** and
|
||||
**cgroups**, technologies pioneered in the Linux kernel. By now, though, there
|
||||
are [equivalents for Windows] and possibly other platforms.
|
||||
As most people know them right now, containers are exclusive to Linux.[^1] This is
|
||||
because they use namespaces and cgroups to achieve isolation.
|
||||
|
||||
[equivalents for Windows]: https://learn.microsoft.com/en-us/virtualization/community/team-blog/2017/20170127-introducing-the-host-compute-service-hcs
|
||||
|
||||
**[Linux namespaces]** partition kernel resources like process IDs, hostnames,
|
||||
user IDs, directory hierarchies, network access, etc. This prevents one
|
||||
collection of processes from seeing or gaining access to data regarding another
|
||||
collection of processes.
|
||||
|
||||
**[Cgroups]** limit, track, and isolate the hardware resource use of a
|
||||
collection of processes. If you tell a cgroup that it's only allowed to spawn
|
||||
500 child processes and someone executes a fork bomb, the fork bomb will expand
|
||||
until it hits that limit. The kernel will prevent it from spawning further
|
||||
children and you'll have to resolve the issue the same way you would with VMs:
|
||||
delete and re-create it, restore from a good backup, etc. You can also limit CPU
|
||||
use, the number of CPU cores it can access, RAM, disk use, and so on.
|
||||
- **[Linux namespaces]** partition kernel resources like process IDs, hostnames,
|
||||
user IDs, directory hierarchies, network access, etc.
|
||||
- **[Cgroups]** limit, track, and isolate the hardware resource use of a set of
|
||||
processes
|
||||
|
||||
[Linux namespaces]: https://en.wikipedia.org/wiki/Linux_namespaces
|
||||
[Cgroups]: https://en.wikipedia.org/wiki/Cgroups
|
||||
|
||||
### Application containers
|
||||
|
||||
The most well-known example of application container tech is probably
|
||||
[Docker.][docker] The goal here is to run a single application as minimally as
|
||||
possible inside each container. In the case of a single, statically-linked Go
|
||||
binary, a minimal Docker container might contain nothing more than the binary.
|
||||
If it's a Python application, you're more likely to use an [Alpine Linux image]
|
||||
and add your Python dependencies on top of that. If a database is required, that
|
||||
goes in a separate container. If you've got a web server to handle TLS
|
||||
termination and proxy your application, that's a third container. One cohesive
|
||||
system might require many Docker containers to function as intended.
|
||||
|
||||
[docker]: https://docker.com/
|
||||
[Alpine Linux image]: https://hub.docker.com/_/alpine
|
||||
|
||||
```kroki {type=d2,d2theme=flagship-terrastruct,d2sketch=true}
|
||||
Host kernel.Container runtime.c1: Container
|
||||
Host kernel.Container runtime.c2: Container
|
||||
|
@ -173,21 +149,6 @@ Host kernel.Container runtime.c3.Full OS.Many apps
|
|||
|
||||
### System containers
|
||||
|
||||
One of the most well-known examples of system container tech is the subject of
|
||||
this post: LXD! Rather than containing a single application or a very small set
|
||||
of them, system containers are designed to house entire operating systems, like
|
||||
[Debian] or [Rocky Linux,][rocky] along with everything required for your
|
||||
application. Using our examples from above, a single statically-linked Go binary
|
||||
might run in a full Debian container, just like the Python application might.
|
||||
The database and webserver might go in _that same_ container.
|
||||
|
||||
[Debian]: https://www.debian.org/
|
||||
[rocky]: https://rockylinux.org/
|
||||
|
||||
You treat each container more like you would a VM, but you get the performance
|
||||
benefit of _not_ virtualising everything. Containers are _much_ lighter than any
|
||||
virtual machine.
|
||||
|
||||
```kroki {type=d2,d2theme=flagship-terrastruct,d2sketch=true}
|
||||
hk: Host kernel
|
||||
hk.c1: Container
|
||||
|
@ -201,42 +162,29 @@ hk.c2.os2.app2: Many apps
|
|||
hk.c3.os3.app3: Many apps
|
||||
```
|
||||
|
||||
## When to use which
|
||||
## When to use VMs
|
||||
|
||||
{{< adm type="warn" >}}
|
||||
**Warning:** this is my personal opinion. Please evaluate each technology and
|
||||
determine for yourself whether it's a suitable fit for your environment.
|
||||
{{< /adm >}}
|
||||
|
||||
As far as I'm aware, VMs are your only option when you want to work with
|
||||
esoteric hardware or hardware you don't physically have on-hand. It's also your
|
||||
only option when you want to work with foreign operating systems: running Linux
|
||||
on Windows, Windows on Linux, or OpenBSD on a Mac all require virtualisation.
|
||||
Another reason to stick with VMs is for compliance purposes. Containers are
|
||||
still very new and some regulatory bodies require virtualisation because it's a
|
||||
decades-old and battle-tested isolation technique.
|
||||
- Virtualising esoteric hardware
|
||||
- Virtualising non-Linux operating systems (Windows, macOS)
|
||||
- Completely isolating processes from one another with a decades-old, battle-tested technique
|
||||
|
||||
{{< adm type="note" >}}
|
||||
See Drew DeVault's blog post [_In praise of qemu_][qemu] for a great use of VMs
|
||||
|
||||
[qemu]: https://drewdevault.com/2022/09/02/2022-09-02-In-praise-of-qemu.html
|
||||
See Drew DeVault's blog post [_In praise of qemu_](https://earl.run/rmBs) for a great use of VMs
|
||||
{{< /adm >}}
|
||||
|
||||
Application containers are particularly popular for [microservices] and
|
||||
[reproducible builds,][repb] though I personally think [NixOS] is a better fit
|
||||
for the latter. App containers are also your only option if you want to use
|
||||
cloud platforms with extreme scaling capabilities like Google Cloud's App Engine
|
||||
standard environment or AWS's Fargate.
|
||||
### When you use application containers
|
||||
|
||||
[microservices]: https://en.wikipedia.org/wiki/Microservices
|
||||
[repb]: https://en.wikipedia.org/wiki/Reproducible_builds
|
||||
[NixOS]: https://nixos.org/
|
||||
|
||||
- When the app you want to run is _only_ distributed as a Docker container and
|
||||
- Microservices
|
||||
- Extremely reproducible builds
|
||||
- (NixOS.org would likely be a better fit though)
|
||||
- Dead-set on using cloud platforms with extreme scaling capabilities (AWS, GCP, etc.)
|
||||
- When the app you want to run is _only_ distributed as a Docker container and
|
||||
the maintainers adamantly refuse to support any other deployment method
|
||||
- (Docker does run in LXD 😉)
|
||||
- System containers
|
||||
- Anything not listed above 👍
|
||||
|
||||
### System containers
|
||||
|
||||
- Anything not listed above 👍
|
||||
|
||||
## Crash course to LXD
|
||||
|
||||
|
|
|
@ -14,18 +14,14 @@
|
|||
<outline text="Blog – JoeRess.com" type="rss" xmlUrl="https://joeress.com/category/blog/feed/" htmlUrl="https://joeress.com"></outline>
|
||||
<outline text="Ctrl blog" type="rss" xmlUrl="https://feed.ctrl.blog/latest.atom" htmlUrl="https://feed.ctrl.blog"></outline>
|
||||
<outline text="Drew DeVault's blog" type="rss" xmlUrl="https://drewdevault.com/blog/index.xml" htmlUrl="https://drewdevault.com"></outline>
|
||||
<outline text="duponin" type="rss" xmlUrl="https://dupon.in/index.xml" htmlUrl="https://dupon.in/index.xml"></outline>
|
||||
<outline text="Gaia Newsletter" type="rss" xmlUrl="https://apprise.prod.gaiaplant.app/archive.xml" htmlUrl="https://apprise.prod.gaiaplant.app"></outline>
|
||||
<outline text="Grumpy Website" type="rss" xmlUrl="https://grumpy.website/feed.xml" htmlUrl="https://grumpy.website"></outline>
|
||||
<outline text="ilja" type="rss" xmlUrl="https://blog.ilja.space/@/ilja/atom.xml" htmlUrl="https://blog.ilja.space/@/ilja/atom.xml"></outline>
|
||||
<outline text="MWL Blather" type="rss" xmlUrl="http://blather.michaelwlucas.com/feed" htmlUrl="https://mwl.io"></outline>
|
||||
<outline text="Paritybit" type="rss" xmlUrl="https://www.paritybit.ca/feed.xml" htmlUrl="https://www.paritybit.ca"></outline>
|
||||
<outline text="Secluded.Site" type="rss" xmlUrl="https://secluded.site/posts/index.xml" htmlUrl="https://secluded.site"></outline>
|
||||
<outline text="Signs of Triviality" type="rss" xmlUrl="https://www.netmeister.org/blog/rss.xml" htmlUrl="http://www.netmeister.org/blog/"></outline>
|
||||
<outline text="Snikket Blog on Snikket Chat" type="rss" xmlUrl="https://snikket.org/blog/index.xml" htmlUrl="https://snikket.org/blog/index.xml"></outline>
|
||||
<outline text="That HTML Blog" type="rss" xmlUrl="https://thathtml.blog/feed.xml" htmlUrl="https://thathtml.blog/"></outline>
|
||||
<outline text="The Spicy Web" type="rss" xmlUrl="https://www.spicyweb.dev/feed.xml" htmlUrl="https://www.spicyweb.dev/"></outline>
|
||||
<outline text="Thib' Blog" type="rss" xmlUrl="https://ergaster.org/rss.xml" htmlUrl="https://ergaster.org/"></outline>
|
||||
<outline text="tonsky.me" type="rss" xmlUrl="http://tonsky.me/blog/atom.xml" htmlUrl="http://tonsky.me"></outline>
|
||||
<outline text="Waldon" type="rss" xmlUrl="https://waldon.blog/feed" htmlUrl="https://waldon.blog"></outline>
|
||||
<outline text="Xe's Blog" type="rss" xmlUrl="https://xeiaso.net/blog.rss" htmlUrl="https://xeiaso.net/blog"></outline>
|
||||
|
@ -66,7 +62,6 @@
|
|||
<outline text="Hacker Stations" type="rss" xmlUrl="https://hackerstations.com/index.xml" htmlUrl="https://hackerstations.com/index.xml"></outline>
|
||||
<outline text="Ink & Switch" type="rss" xmlUrl="https://www.inkandswitch.com/index.xml" htmlUrl="https://www.inkandswitch.com/index.xml"></outline>
|
||||
<outline text="jmp.chat" type="rss" xmlUrl="https://blog.jmp.chat/atom.xml" htmlUrl="https://blog.jmp.chat"></outline>
|
||||
<outline text="Kagi Blog" type="rss" xmlUrl="https://blog.kagi.com/rss.xml" htmlUrl="https://blog.kagi.com/rss.xml"></outline>
|
||||
<outline text="Modos Laptop" type="rss" xmlUrl="https://www.modos.tech/rss" htmlUrl="https://www.modos.tech"></outline>
|
||||
<outline text="Sourcehut" type="rss" xmlUrl="https://sourcehut.org/blog/index.xml" htmlUrl="https://sourcehut.org"></outline>
|
||||
</outline>
|
||||
|
@ -85,10 +80,10 @@
|
|||
<outline text="Deeplinks" type="rss" xmlUrl="https://www.eff.org/rss/updates.xml" htmlUrl="https://www.eff.org"></outline>
|
||||
<outline text="DEV Community: Gary Kramlich" type="rss" xmlUrl="https://dev.to/feed/grim/" htmlUrl="https://dev.to/feed/grim/"></outline>
|
||||
<outline text="F-Droid" type="rss" xmlUrl="https://f-droid.org/en/feed.xml" htmlUrl="https://f-droid.org"></outline>
|
||||
<outline text="Golang Weekly" type="rss" xmlUrl="https://golangweekly.com/rss/" htmlUrl="https://golangweekly.com/"></outline>
|
||||
<outline text="InfoWorld Matt Asay" type="rss" xmlUrl="http://www.infoworld.com/author/Matt-Asay/index.rss" htmlUrl="https://www.infoworld.com"></outline>
|
||||
<outline text="IPFS Blog & News" type="rss" xmlUrl="https://blog.ipfs.tech/index.xml" htmlUrl="https://blog.ipfs.tech"></outline>
|
||||
<outline text="iTWire - Sam Varghese" type="rss" xmlUrl="http://www.itwire.com/freelancer/itemlist/user/902-samvarghese?format=feed" htmlUrl="https://itwire.com"></outline>
|
||||
<outline text="IVPN Blog" type="rss" xmlUrl="https://www.ivpn.net/blog/index.xml" htmlUrl="https://www.ivpn.net"></outline>
|
||||
<outline text="Jack Whitham" type="rss" xmlUrl="https://www.jwhitham.org/rss.xml" htmlUrl="https://www.jwhitham.org/"></outline>
|
||||
<outline text="Jim Salter – Ars Technica" type="rss" xmlUrl="https://arstechnica.com/author/jimsalter/feed/" htmlUrl="https://arstechnica.com"></outline>
|
||||
<outline text="Jolla Blog" type="rss" xmlUrl="https://blog.jolla.com/feed/" htmlUrl="https://blog.jolla.com"></outline>
|
||||
|
@ -110,7 +105,6 @@
|
|||
<outline text="The Invisible Things" type="rss" xmlUrl="http://blog.invisiblethings.org/feed.xml" htmlUrl="https://blog.invisiblethings.org/"></outline>
|
||||
<outline text="The Register" type="rss" xmlUrl="http://www.theregister.co.uk/headlines.atom" htmlUrl="https://www.theregister.com/"></outline>
|
||||
<outline text="The Verge" type="rss" xmlUrl="http://www.theverge.com/rss/full.xml" htmlUrl="https://www.theverge.com/"></outline>
|
||||
<outline text="The Verge - Installer s" type="rss" xmlUrl="https://www.theverge.com/rss/installer-newsletter/index.xml" htmlUrl="https://www.theverge.com/installer-newsletter"></outline>
|
||||
<outline text="Threatpost" type="rss" xmlUrl="https://threatpost.com/feed" htmlUrl="https://threatpost.com"></outline>
|
||||
<outline text="TorrentFreak" type="rss" xmlUrl="http://feeds.feedburner.com/Torrentfreak" htmlUrl="https://torrentfreak.com/"></outline>
|
||||
<outline text="Wired Security" type="rss" xmlUrl="https://www.wired.com/feed/category/security/latest/rss" htmlUrl="https://www.wired.com"></outline>
|
||||
|
|
Loading…
Reference in New Issue